Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-21267

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

    XMLWordPrintable

    Details

    • CVSS Score:
      9.1
    • CVSS Severity:
      Critical

      Description

      Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

      On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

      This is the result of an incomplete fix for CVE-2020-27955.

      This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

      Fix contains only changes to Windows AMIs used by Bamboo Elastic agents

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: